MSNBC is reporting today that thieves have stolen a batch of PINs from a retailer—PINs the retailer shouldn't have stored in the first place:
Criminals have stolen bank account data from a third-party company, several banks have said, and then used the data to steal money from related accounts using counterfeit cards at ATM machines.
The central question surrounding the new wave of crime is this: How did the thieves managed to foil the PIN code system designed to fend off such crimes? Investigators are considering the possibility that criminals have stolen PIN codes from a retailer, MSNBC has learned.
In recent weeks, Bank of America, Wells Fargo, Washington Mutual and Citibank have all reissued debit cards after detecting fraudulent activity. Smaller banks, such as Ohio-based National City Bank and Pennsylvania-based PNC Bank, have taken similar steps.
Bruce Schneier reported on this Monday, but now the scope of the crime is becoming more apparent.
So how did the thieves get the customers' PINs? It appears that a retailer stored them along with other credit-card data in its database, and the thieves stole the database:
[Gartner analyst Avivah Litan] says many merchants incorrectly store PIN information they should be destroying after customers enter the secret code on PIN pads in stores around the country. While the information is often encrypted into something called a PIN block, the keys necessary to decrypt the information are often stored on the same network, she said. That makes stealing the PINs as easy as breaking into an office computer using a password a careless employee has taped to the screen.
The thing is, the retailers have no need to store the PINs:
While storing PINs is against network rules, many retailers inadvertently store the information, said Mike Urban, who runs Fair Isaac Inc.'s ATM fraud detection program called CardAlert. It ends up accidentally saved in temporary files and other software nooks and crannies.
ZDNet has this story too.
The solution to this problem, long known to concientious software developers, is never to keep secrets unless they're absolutely necessary. I tell my clients all the time that neither I nor anyone else should ever know their passwords, for for example.
It will be interesting, and important to every consumer, to see how liability for this event is apportioned. Sadly, most courts and legislators are woefully ignorant of the technology, which should lead to some fascinating legal work in coming months.
Until this issue gets resolved, which could take weeks, I urge people to be very careful using point-of-sale debit card readers. And if you suspect unauthorized activity on your bank account, call your bank immediately.
Ah, the Peter Principle rears its ugly head once again, in its purest form.
MSNBC is reporting that a Costa Mesa, Calif., middle school has suspended students for viewing a Web page. They're also trying to expel the student who put up the page (internal links mine):
A middle school student faces expulsion for allegedly posting graphic threats against a classmate on the popular myspace.com Web site, and 20 of his classmates were suspended for viewing the posting, school officials said.
Police are investigating the boy's comments about his classmate at TeWinkle Middle School as a possible hate crime, and the district is trying to expel him.
According to three parents of the suspended students, the invitation to join the boy's MySpace group gave no indication of the alleged threat. They said the MySpace social group name's was "I hate (girl's name)" and included an expletive and an anti-Semitic reference.
... "With what the students can get into using the technology we are all concerned about it," Bob Metz, the district assistant superintendent of secondary education, said Wednesday.
Putting aside the somewhat complicated question about whether or how the school district should discipline the page's author, what are they thinking disciplining the kids who just viewed the posting? One of two things seems to be happening here: either MSNBC's reporting is sloppy (e.g., the kids didn't just view the posting, they committed an affirmative act endorsing it), or Metz is just not a very smart man. (As one snarky friend once put it, he Can't Understand New Technology.)
I'm thinking, it's a little of both. This comes not too long after a kid got expelled for a doodle in McHenry, Ill. The similarity is that a kid is getting disciplined harshly for expressing something. Now, it seems like this could be a valuable "teachable moment" for the kids involved, but it also seems like expulsion won't teach them anything helpful.
What is it about school administrators? Getting tough on free speech isn't exactly an American value.
I just started reading The Weather Makers by Tim Flannery, which contains a fairly good overview of climate change and how we're making it happen. It's important to understand that climate change has happened rapidly throughout history, meaning changes of 2-4°C (4-7°F) have occurred over decades rather than millennia.
So, having started that book yesterday, I'm warmed (so to speak) by this morning's Washington Postarticle on the shrinking Antarctic ice sheet:
The Antarctic ice sheet is losing as much as 36 cubic miles of ice a year in a trend that scientists link to global warming, according to a new paper that provides the first evidence that the sheet's total mass is shrinking significantly.
The new findings, which are being published today in the journal Science, suggest that global sea level could rise substantially over the next several centuries.
... [T]he amount of water pouring annually from the ice sheet into the ocean—equivalent to the amount of water the United States uses in three months—is causing global sea level to rise by 0.4 millimeters a year.
That may not sound like a lot, but (a) it's not the only ice sheet melting in the world and (b) it equates to a 30 cm (1 ft) rise in sea levels over the next century.
One more time: Global warming is great for Chicago, bad for Miami, disastrous for Bangladesh. And my own children will probably have to decide whether to build seawalls and polders around our coastal cities. The children of my Filipino friends probably won't have that option.
Andy Borowitz today jokes about a hypothetical Bush visit to reality:
For Mr. Bush, the visit to reality, while brief, was still significant because it represented his first visit to the real world since being elected President in 2000.
"The President deserves a lot of credit for making this visit to reality," one aide said. "He doesn't have a natural constituency here."
The AP reported today that the President, Secretary Chertoff, and other officials were clearly warned about the likelihood of levee failures three days before Bush went on television claiming otherwise:
Bush didn't ask a single question during the final government-wide briefing the day before Katrina struck on Aug. 29 but assured soon-to-be-battered state officials: "We are fully prepared."
Six days of footage and transcripts obtained by The Associated Press show in excruciating detail that while federal officials anticipated the tragedy that unfolded in New Orleans and elsewhere along the Gulf Coast, they were fatally slow to realize they had not mustered enough resources to deal with the unprecedented disaster.
This is information the Administration didn't want published, for the simple reason that it makes them look stupid, just like all the other information they've wanted to keep secret for five years. It kind of makes you wonder what they're holding back on global warming, doesn't it?
In a not-entirely-unrelated vein, I had a conversation with a colleague today who claims to be more worried about the unlikely (but dramatic) possibility of an asteroid strike than the demonstrated (but, barring the occasional flood, humdrum) occurrence of global climate change. People are funny that way.
The best governor we've got claims he didn't know the Daily Show interview was a spoof when he sat down:
"It was going to be an interview on contraceptives...that's all I knew about it," Blagojevich, laughingly [sic], told the St. Louis Post-Dispatch in a story for Thursday's editions. "I had no idea I was going to be asked if I was 'the gay governor.'"
Interviewer Jason Jones pretended to stumble over Blagojevich's name before calling him "Gov. Smith." He later asked if Blagojevich was "the gay governor."
The Daily Show segment aired earlier this month.
In unrelated news, former Chicago Alderman Edwin Eisendrath is running in next month's Democratic primary against Gov. Smith.
Molly Ivins, on congressional reform:
Tom DeLay gets indicted, and all the Republicans can think of is a $20 gift ban. Forget the people talking about "lobby reform." The lobby does not need to be reformed, the Congress needs to be reformed. This is about congressional corruption, and it is not limited to the surface stuff like taking free meals, hotels and trips. This is about corruption that bites deep into the process of making laws in the public interest. The root of the rot is money (surprise!), and the only way to get control of the money is through public campaign financing.
You don't ask the local wolf pack to reform sheep-herding.
Josh Marshall poses this astute question:
Isn't offshoring port management and security sort of like offshoring the shore?
In its efforts to starve the Federal government out of existence, Bush cut $28 million—and 32 jobs—from the National Renewable Energy Laboratory.
Then he mentioned, in his state of the union speech, that we need renewable energy. Forgetting for a moment that the pusher-in-chief suddenly got religion on our addiction to (foreign) oil, it's still kind of embarrassing that he cut our renewable energy budget at the same time. Or, more to the point for these clowns, embarrassing that they got caught doing it.
So the 32 got their jobs back today:
Two weeks ago, the lab workers, including eight researchers, were laid off at the lab because of a $28 million budget shortfall. Then, over the weekend, at the direction of Energy Secretary Samuel Bodman, $5 million was transferred back to the lab to get the workers back on the job.
Lab officials are ecstatic about getting the positions back, although they say the remaining $23 million shortfall has forced delays in research subcontracted to universities and companies. Still, it was an untimely issue for the president, who flew to Colorado to push the energy initiatives he announced in his State of the Union address.
Quel faux pas!